Over a third of the web uses WordPress to power their website. That's a lot of sites and a big target for hackers and other threats.
You might think your website is safe due to the sheer number of sites online but security by obscurity isn't a good solution. Let's go through a WordPress security checklist that will help keep your site secure from attacks.
Why Would a Hacker Care About Your Site?
It doesn't matter how big or small your site is or how large your audience is, if you're running WordPress, it's attractive to hackers. If they get access to your site they can use it as a spamming proxy, for distributing malware, or to initiate attacks against your hosting service.
Hackers run search scripts that scour the internet looking for WordPress-based sites. When they find them, they'll probe for thousands of known vulnerabilities. If your site is vulnerable, it's an easy target.
Keep WordPress Up-to-Date
One of the simplest but most important security tips is to keep WordPress and other components of your website updated. Like Windows and macOS, WordPress gets updated regularly to add features, fix bugs, and patch security problems. Keeping up to date means you'll be at risk for fewer vulnerabilities.
It's not just WordPress though. Make sure you keep any plugins and themes installed on your site up-to-date as well. These components can also pose security risks, even if WordPress itself is fully updated. Delete any inactive plugins and themes as well. Even if they're not active, they can still pose security risks.
Use Strong Passwords
All users on your site should use strong passwords, especially any administrators. Use a minimum of 12 characters and a combination of upper and lower case text, numbers, and symbols. Stay away from obvious things like "password" and even less obvious words found in a dictionary.
Brute force attacks can run thousands of passwords through your site in minutes so if your password is a common word, it's much more likely to get uncovered.
Install an SSL Certificate
You should install an SSL certificate on your WordPress site so it works with the https protocol. This supports end-to-end encryption so everything you send to the site gets encrypted.
If you aren't using SSL, your password and other information you send to the site can be intercepted by anyone with the necessary skills. This is especially important if you log into your site on public WiFi networks where anyone could be sniffing the data.
Change the Default Admin Username
Most WordPress sites use the default "admin" username for the site administrator. This makes an easy target for brute force attacks.
Change the username to something unique (administrator isn't much better) so hackers won't have an easy vector into your website.
Beyond this Security Checklist
This WordPress security checklist is a good starting point but there are plenty of other things you can do to secure your site even further. You can install a security plugin like Wordfence or Sucuri as well as a good backup plugin so you have an up-to-date copy of your website if something does go wrong.
And check out our other website security posts for more helpful information, both for WordPress and other types of sites.